Summary

It is possible to obtain a user's NTLM hash by tricking them into cloning a malicious repository, or checking out a malicious branch, that accesses an attacker-controlled server. By default, NTLM authentication does not need any user interaction.

Impact

By brute-forcing the NTLMv2 hash (which is expensive, but possible), credentials can be extracted.

Workarounds

Consider only cloning repositories or fetching branches from people you trust.

References

• This vulnerability is very similar in impact and context to CVE-2025-66413.
• https://support.microsoft.com/en-us/topic/upcoming-changes-to-ntlmv1-in-windows-11-version-24h2-and-windows-server-2025-c0554217-cdbc-420f-b47c-e02b2db49b2e
• https://techcommunity.microsoft.com/blog/windows-itpro-blog/the-evolution-of-windows-authentication/3926848
• https://learn.microsoft.com/en-au/windows/whats-new/deprecated-features#:~:text=NTLM